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We show that all proposed quantum bit commitment schemes are insecure because the sender, 
Alice, can almost always cheat successfully by using an Einstein-Podolsky-Rosen type of attack and 
delaying her measurement until she opens her commitment. 



PACS Numbers: 89.70.+C, 03.65.Bz, 89.80.+h 

Work on quantum cryptography was started by S. J. 
Wiesner in a paper written in about 1970, but remained 
unpublished until 1983 jij. Recently, there have been 
lots of renewed activities in the subject. The most well- 
known application of quantum cryptography is the so- 
called quantum key distribution (QKD) |§4j], which is 
useful for making communications between two users to- 
tally unintelligible to an eavesdropper. QKD takes ad- 
vantage of the uncertainty principle of quantum mechan- 
ics: Measuring a quantum system in general disturbs it. 
Therefore, eavesdropping on a quantum communication 
channel will generally leave unavoidable disturbance in 
the transmitted signal which can be detected by the legit- 
imate users. Besides QKD, other quantum cryptographic 
protocols (U have also been proposed. In particular, it is 
generally believed [Q that quantum mechanics can pro- 
tect private information while it is being used for public 
decision. Suppose Alice has a secret x and Bob a secret 
y. In a "two-party secure computation" (TPSC), Alice 
and Bob compute a prescribed function f(x,y) in such a 
way that nothing about each party's input is disclosed to 
the other, except for what follows logically from one's pri- 
vate input and the function's output. An example of the 
TPSC is the millionaires' problem: Two persons would 
like to know who is richer, but neither wishes the other 
to know the exact amount of money he/she has. 

In classical cryptography, TPSC can be achieved ei- 
ther through trusted intermediaries or by invoking some 
unproven computational assumptions such as the hard- 
ness of factoring large integers. The great expectation 
is that quantum cryptography can get rid of those re- 
quirements and achieve the same goal using the laws of 
physics alone. At the heart of such optimism has been 
the widespread belief that unconditionally secure quan- 
tum bit commitment (QBC) schemes exist Q. Here we 
put such optimism into very serious doubt by showing 
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that all proposed QBC schemes are insecure: A dishon- 
est party can exploit the non-local Einstein-Podolsky- 
Rosen (EPR) |l8j type correlations in quantum mechan- 
ics to cheat successfully. To do so, she generally needs 
to maintain the coherence of her share of a quantum sys- 
tem by using a quantum computer. We remark that all 
proposed QBC schemes contain an invalid implicit as- 
sumption that some measurements are performed by the 
two participants. This is why this EPR-type of attack 
was missed in earlier analysis. 

Let us first introduce bit commitment. A bit com- 
mitment scheme generally involves two parties, a sender, 
Alice and a receiver, Bob. Suppose that Alice has a bit 
(6 = or 1) in mind, to which she would like to be 
committed towards Bob. That is, she wishes to provide 
Bob with a piece of evidence that she has already chosen 
the bit and that she cannot change it. Meanwhile, Bob 
should not be able to tell from that evidence what b is. 
At a later time, however, it must be possible for Alice 
to open the commitment. In other words, Alice must be 
able to show Bob which bit she has committed to and 
convince him that this is indeed the genuine bit that she 
had in mind when she committed. 

A concrete example of an implementation of bit com- 
mitment is for Alice to write down her bit in a piece of 
paper, which is then put in a locked box and handed 
over to Bob. While Alice cannot change the value of the 
bit that she has written down, without the key to the 
box Bob cannot learn it himself. At a later time, Alice 
gives the key to Bob, who opens the box and recovers the 
value of the committed bit. This illustrative example of 
implementation is, however, inconvenient and insecure. 
A locked box may be very heavy and Bob may still try 
to open it by brute force (e.g. with a hammer). 

What do we mean by cheating? As an example, a 
cheating Alice may choose a particular value of b during 
the commitment phase and tell Bob another value during 
the opening phase. A bit commitment scheme is secure 
against a cheating Alice only if such a fake commitment 
can be discovered by Bob. For concreteness, it is instruc- 
tive to consider a simple QBC protocol due to Bennett 
and Brassard B. Its procedure goes as follows: Alice and 
Bob first agree on a security parameter, a positive integer 
s. The sender, Alice, chooses the value of the committed 
bit, b. If b = 0, she prepares and sends Bob a sequence 



1 



of s photons each of which is randomly chosen to be ei- 
ther horizontally or vertically polarized. Of course, the 
value of 6 is kept secret during the commitment phase. 
Moreover, the actual polarization of each photon chosen 
by Alice is not announced to Bob. Similarly, if 6 = 1, she 
prepares and sends Bob a sequence of s photons each of 
which is randomly chosen to be either 45-degree or 135- 
degree polarized but once again the actual polarization 
of each photon is kept secret by Alice. Bob chooses ran- 
domly between the rectilinear (horizontal and vertical) 
and diagonal (45-degree or 135-degree) bases to measure 
the polarization of each photon. This completes the com- 
mitment phase. A simple calculation shows that, the two 
density matrices describing the s photons corresponding 
to b = and 6=1 respectively are exactly the same (and 
are proportional to the identity matrix). Consequently, 
Bob cannot learn anything about the value of b. 

At a later time, Alice may open her commitment by 
announcing the value of b and the actual polarization of 
each of the s photons. Since Bob has chosen his ba- 
sis (rectilinear or diagonal) of measurement randomly 
for each photon in the commitment phase, on average, 
only half of the s photons, have been measured by him 
in the correct basis. For those photons, Bob can verify 
that Alice's announced polarizations match his measure- 
ment results. Baring EPR attacks, a cheating Alice may, 
for example, send rectilinear photons in the commitment 
phase (hence commits to b = 0) but tell Bob that they are 
diagonal photons in the opening phase (hence announces 
6=1). This is cheating. Alice then has to make ran- 
dom guess for the polarizations of the photons that Bob 
has measured along the diagonal basis. Since Bob, on 
average, measures s/2 photons along the diagonal basis, 
Alice, with such a cheating strategy, has only a probabil- 
ity of (l/2) s/2 for success. See Q for details. 

A key weakness of Bennett and Brassard's scheme is 
that Alice can always cheat successfully by using EPR- 
pairs. Alice can prepare s EPR-pairs of photons and 
send a member of each pair to Bob during the commit- 
ment phase. She skips her measurements and decides on 
the value of 6 only at the beginning of the opening phase. 
If she chooses the value of 6 to be 0, she measures the 
polarization of the photons in her share along the recti- 
linear basis. It is a standard property (the EPR paradox) 
of an EPR pair that Alice's measurement result on a pho- 
ton will always be perpendicular to Bob's result on the 
other photon of the pair. Alice can, therefore, proudly 
announce those polarizations. Similarly, for 6=1, she 
simply measures along the diagonal basis and proceeds 
in a similar manner. There is no way for Bob to detect 
this attack. 

Bennett and Brassard noted this weakness in the same 
paper in which they proposed their scheme [^) . Nonethe- 
less, new QBC schemes have been proposed and it has 
been generally accepted in the literature that they 



defeat an EPR-type of attack. Our goal here is to demon- 
strate that, contrary to popular belief, precisely the same 
type of EPR attack defeats all proposed QBC schemes. 

All proposed schemes involve only one-way communi- 
cations from Alice to Bob. On the conceptual level, they 
all involve Alice sending two quantum systems to Bob, 
one during the commit phase and the other during the 
opening phase. [There is no loss of generality in our anal- 
ysis in considering quantum communications alone since 
classical communications is just a special case of quantum 
communications.] More precisely, the general procedure 
of any proposed QBC scheme can be rephrased in the 
following manner: 

(1) Alice chooses the value of a bit 6 to which she would 
like to be committed towards Bob. If 6 = 0, she prepares 
a state 

1°) = ^ZoLi\ei)A® \<j>i) B , (1) 
i 

where (ei\ej}A — Sij but the normalized states |<^)b's 
are not necessarily orthogonal to each other. Similarly, 
if 6 = 1, she prepares a state 

|l)=E&l e ^^>< (2) 
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where (e'^e'^A = 5ij but |^)b's are not necessarily or- 
thogonal to each other. 

Both Alice and Bob are supposed to know the states 
|0) and |1). This implies, in particular, that both of them 
know the states \cj)i)B and |<^-)b- 

(2) An honest Alice is now supposed to make a mea- 
surement on the first register and determine the value of 
i if 6 = (j if 6= 1). 

(3) Alice sends the second register to Bob as a piece of 
evidence for her commitment. 

(4) At a later time, Alice opens the commitment by 
declaring the value of 6 and of i or j. 

(5) Bob performs measurements on the second register 
to verify that Alice has indeed committed to the genuine 
bit. More precisely, the data received from Alice (the val- 
ues of 6 and also i or j) should be correlated with Bob's 
experimental results on the second register. If such ex- 
pected correlations do appear, Bob accepts that Alice has 
executed the protocol honestly. Otherwise, Bob suspects 
that Alice is cheating. 

We emphasize that all proposed QBC schemes follow 
the five-step procedure described above. For instance, 
Bennett and Brassard's scheme described earlier falls into 
this class if we give Bob the liberty to store up his photons 
and measure them only after the opening (step 4) of the 
commitment by Alice. But, if Alice can cheat against 
even such a powerful Bob, clearly she can cheat against 
Bob who has no such storage capability. 

Our proof of insecurity of QBC goes as follows: First of 
all, in order that Bob cannot tell what 6 is, the second reg- 
ister (the quantum system that Bob receives during the 
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commit phase) must contain very little information about 
which bit Alice has committed to. As a start, let us con- 
sider the ideal case in which the second register contains 
absolutely no information about the value of 6. [Bennett 
and Brassard's scheme ^| and Ardehali's scheme [|| are 
ideal whereas Brassard and Crepeau's scheme |?J and the 
most well-known BCJL scheme || are non-ideal. We will 
come to the non-ideal case near the end of this Letter.] 
In the ideal case, to ensure that Bob has no information 
about the committed bit 6, the density matrices describ- 
ing the second register associated with the bits and 1 
are the same, i.e., 

Tr A \0)(0\=p*=pf = Tr A \l)(l\. (3) 

It then follows from the Schmidt decomposition jjlSfj 
that 

|o) =J2^k\£ k )A® (4) 

k 

and 

\l)=J2^k\e' k ) A ^\4>k)B ) (5) 

k 

where {le/J^}, {I^a} and {\4>k)B} are orthonormal 
bases of the corresponding Hilbert spaces and \ k 's are the 
eigenvalues of the reduced density operator, Tr J 4|0)(0| = 
Tr J 4|l)(l|. Notice that the A^'s and |(/>fc)s's are the same 
for the two states and the only difference lies in Al- 
ice's system |efc)Vs vs \e' k )A&- Now consider the unitary 
transformation Ua which maps lefe)^ to \e' k ) a- It clearly 
maps |0) to |1). Note that the transformation Ua acts on 
Alice's system alone and yet rotates |0) to |1). That is, 
Alice can apply Ua without Bob's help. Therefore, Alice 
can cheat by changing b = to b = 1 in the opening 
phase. 

More concretely, consider the following cheating strat- 
egy: In the first step, Alice always prepares |0) corre- 
sponding to b = 0. She then skips the second (mea- 
surement) step and sends the second register to Bob as 
prescribed in the third step. She decides on the value 
of b to announce only in the beginning of the opening 
phase (step 4). Should she now choose b to be zero, 
she executes the protocol honestly. On the other hand, 
if she now chooses b to be one, she applies the unitary 
transformation Ua to rotate |0) to |1) and executes the 
protocol for b = 1 instead. Consequently, Alice can al- 
ways cheat successfully. Notice that Alice is able to cheat 
primarily because she can delay her measurement until 
step four. To do so, Alice generally needs a quantum 
computer. While it is a challenging technological feat to 
build a quantum computer, it is not forbidden by the 
laws of quantum physics. The possibility of a dishonest 
Alice skipping the second step (i.e., delaying her measure- 
ments) was not considered in Ref . Q . This was the chief 



reason why earlier researchers came to the erroneous con- 
clusion that the BCJL scheme is provably unbreakable. 

In the above discussion, we have assumed the ideal sit- 
uation in which Bob has absolutely no information about 
the value of b during the commitment phase and hence 
the density matrices describing the second register for 
the two cases 6 = and 6=1 are the same. (See Eq. 
(^).) However, Brassard and Crepeau's scheme |?J and 
the BCJL scheme || are non-ideal in the sense that they 
violate Eq. (^) slightly and give Bob some probability of 
distinguishing between p^ and pf . Intuition seems to 
indicate that this is not going to change our conclusion: 
On the one hand, if Bob has a large probability of dis- 
tinguishing between the two states, the scheme will be 
unsafe against a cheating Bob. On the other hand, if 
Bob has only a very small probability of distinguishing 
between the two states, clearly the two density matrices 
Pq and pf must be close to each other in some sense and 
essentially the same physics should apply. 

Following Mayers |po| , we now consider the non-ideal 
case when p^ ^ pf . The closeness between two states 
of B specified by the two density matrices p^ and pf, 
is commonly described by the concept fidelity pl| which 
can be defined in terms of purifications. Imagine a system 
A attached to Bob's system B. There are many pure 
states \ipo) and l^i) on the composite system such that 

Tr A (\i>o)(H) = Po and Tr A (\^)(^\) = pf. 

(6) 

The pure states \i/jq) and are called the purifications 
of the density matrices Pq and pf . The fidelity can be 
defined as 

F(^,pf)=max|<^#i>| (7) 

where the maximization is over all possible purifications. 
< F < 1. F = 1 if and only if p^ = pf. We remark 
that for any fixed purification of pf , e.g. |1) in Eq. (||), 
there exists a maximally parallel purification of p^ which 
satisfies Eq. (0). 

For non-ideal QBC schemes, the fact that Bob has a 
small probability for distinguishing between p^ and pf 
means that |^TJ 

F0$,P?) = l-8 (8) 

for some small S > 0. It then follows from Eqs. (fy and 
(||) that, for the state |1) given in Eq. (^), there exists a 
purification |-0o) of p^ such that 

\(i, \l)\=F(pZ 1 pf) = l-5. (9) 

The strategy of a cheating Alice for a non-ideal bit 
commitment scheme is the same as before. She prepares 
the state |0) corresponding to 6 = in the first step, skips 
the second (measurement) step and sends the second reg- 
ister to Bob as prescribed in the third step. She decides 
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on the value of 6 only in the beginning of the opening 
phase (step 4). If she now chooses 6 = 0, she simply 
follows the rule. If she chooses 6 = 1, she applies a uni- 
tary transformation to the quantum system on her share 
to obtain the state |^>o) which satisfies Eq. (||). Such a 
unitary transformation exists because, as can be seen in 
the Schmidt decomposition p9| , all purifications \4>)ab 
of a fixed density matrix pB are related to one another 
by unitary transformations acting on A alone and A is in 
Alice's hands. Notice that if Alice had been honest, she 
would have prepared |1) in the first step instead. (See 
Eq. (|2|).) Nonetheless, since |-0o) and |1) are so similar to 
each other (See Eq. (d).), Bob clearly has a hard time in 
detecting the dishonesty of Alice. Therefore, Alice can 
cheat successfully with a very large probability. 
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Bennett, G. Brassard, C. Crepeau, D. P. DiVincenzo, L. 
Goldenberg, R. Jozsa, J. Kilian, D. Mayers, J. Preskill, 
P. Shor, T. Toffoli and F. Wilczek after the completion of 
an earlier version of this Letter. This work is supported 
in part by DOE grant DE-FG02-90ER40542. 

Notes added: The insecurity of the BCJL scheme M 
has also been investigated independently by Mayers p0[ . 
More recently, Mayers ^2) has generalized the above re- 
sult to prove that all quantum bit commitment schemes, 
including ones that involve two-way (quantum) commu- 
nications between Alice and Bob, are insecure. The same 
result and the impossibility of ideal quantum coin toss- 
ing are discussed in our recent preprint |23| ]. The im- 
possibility of some other quantum protocols has recently 
been demonstrated by Lo |24| . These surprising discover- 
ies constitute a major setback to quantum cryptography. 
The exact boundary to the power of quantum cryptog- 
raphy remains an important subject for future investiga- 
tions. 
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